chrome/docker-compose.yml

version: '2'

# Initialize
# docker run --rm -ti -v chrome_data:/data busybox /bin/sh -c "chown 1000:1000 /data"

volumes:
  data: {}
  certs: {}

services:
  chrome:
    image: andrey01/chrome
    read_only: true
    network_mode: bridge
    devices:
      - /dev/dri
      # - /dev/video0
    volumes:
      - /tmp/.X11-unix:/tmp/.X11-unix:ro
      - $XDG_RUNTIME_DIR/pulse:/run/user/1000/pulse
      - data:/data
      - certs:/home/user/.pki/nssdb
      - $HOME/Downloads:/home/user/Downloads
      - /var/run/cups:/var/run/cups:ro
      - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro
      - /tmp/krb5cc_1000:/tmp/krb5cc_1000:ro
    environment:
      - DISPLAY=unix$DISPLAY
      - PULSE_SERVER=unix:$XDG_RUNTIME_DIR/pulse/native
      # some webapps won't work when the timezone is not properly set, e.g.
      # the ownCloud's (v9.0.0) calendar (v1.0.0.0) does not work correctly
      # the same could happen with Icinga2 web interface
      - TZ=Europe/Amsterdam
    # SYS_ADMIN is NOT required if you run chrome with `--no-sandbox` flag
    # more on CAP_SYS_ADMIN https://lwn.net/Articles/486306/
    cap_add:
      - SYS_ADMIN
    # security_opt:
      # - apparmor:docker-ptrace
      # - apparmor:unconfined
    # fixes the: grsec: denied resource overstep by requesting 28 for RLIMIT_NICE against limit 0 for /opt/google/chrome/chrome
    ulimits:
      nice: 28
    shm_size: 4G